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Abstract 

We propose a protocol for anonymous distribution of quantum information that can be used 
to implement either channel with anonymous sender or channel with anonymous receiver. Our 
protocol achieves anonymity and message secrecy with unconditional security. It uses classical 
anonymous transfer. It tolerates disruption of the protocol, but the number of disrupters must be 
limited by the quantum Gilbert-Varshamov bound. This bound can be exceeded provided a specific 
entanglement distillation procedure will be used. A different version of the protocol tolerates any 
number of disrupters, but is secure only when receiver does not actively cooperate with other 
corrupted participants. 
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1 Introduction 



The amount of data transmitted via Internet or computer networks in general grew rapidly during last 
dècades and it is expected that even more data influencing everyday life and economy will flow this 
way. On the other hand, computing and storagc power of contemporary computers and improvement 
of algorithms allow automàtic processing of huge amount of data and thus also filtering and tracing 
particular messages. Thcse can be selected according to sender, receiver or even content. While the 
content of a message can be secured using various mcthods of encryption, sometimes already the 
existence of the message as well as the identity of its sender and recipient are sensitive information. 
By following recipients of your messages one can determine a lot about your personal or professional 
life. 

As a reaction on such an abuse of computer networks a number of mcthods assuring user (i.e. 
sender and/or receiver) anonymity were proposed. These methods include both computationally [1] 
and unconditionally secure solutions [2, 3, 4, 5]. While the latter are usually less efl·leient, they are the 
only way to ensure provable anonymity of sender and/or receiver. This cstablishcs them as an important 
part of modern cryptography and justifies the attention they have received during last twenty years. 
It is slightly surprising that applications of these primitives go far beyond preserving anonymity of 
communicating parties. Anonymous transfer protocols are known to have wide applications in design 
of secure ballot elections [6] , Byzantine agreement [7] or key distribution protocols [8] and are the key 
ingredient of digital pseudosignatures [9] . 

In this paper we propose a protocol realizing anonymous transfer of quantum information, which 
has equivalent importance for future quantum networks as preserving anonymity in classical networks. 
Using anonymous transfer of classical information as a primitive 1 it assures anonymity, secrecy of the 
message and detection of disrupters (also tracelessness, see below). 

Bcfore continuing with cxplanation of our approach we would like to stress diffcrenccs to the paper 
[10], where authors independently proposed a number of ideas and techniques contained also in our 
paper. Main results of the paper [10] are two protocols, one for anonymous transfer of classical infor- 
mation and one for anonymous transfer of quantum information. The main motivation was to design 
traceless 2 protocols, while sacrificing security of the message and detection of disrupters. Also, authors 
did not design the protocols from scratch neither based them on some well-established cryptographic 
primitives. The initial assumption of these protocols is that participants share securely created and 
distributed generalized GHZ state. Distribution of this state is an important part of our protocol, 
where one can achieve security stronger that the one proposed in [10]. 

The paper [10] demonstrates that quantum information processing might offer resources allowing 
anonymous transfer of classical information with security features not achicvablc by classical cryptog- 
raphy. Recently, there were proposed also other quantum techniques [11, 12], which partly establish 
anonymous transfer protocol for classical information. While these solutions achieve no security im- 
provements in contrast to classical protocols, they propose altcrnative ways of founding anonymous 
transfer on principies of quantum mechanics. 

2 Terminology and definit ions 

2.1 General approach to multi-party cryptographic protocols 

Before introducing anonymous transfer problem we will briefly recapitulate general approach to secure 
multi-party computation, which is a nice and uniform way of modeling cryptographic protocols, espe- 
cially adversàries. In what follows we will denote P the set of all participants of the protocol. The 
main goal of multi-party cryptographic protocols is to ensure that honest participants achieve the goal 
specified in the dcfmition of the problem regardless of actions of dishonest participants. 

In order to model that all malicious participants fully cooperate, we intèrpret the cheating in the 
way that the (active) adversary is a participant not included in the set P who takes full control of some 

1 lt means we use it as a blackbox. Note that composite protocol can bc only as secure as its weakest part so the 
security of the primitive may limit security of the composite protocol. 

2 Protocol is traceless if it remains secure (anonymous) even after all participants publish all random bits they used. 
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subsct C C P of participants 3 of the protocol. Hc is complctcly controlling participants in the set C, 
especially he has access to their internal memory, can read their inputs and controls their outputs. 
This approach was introduced in context of composable security, see e.g. [13] and references included 
thercin. 

In this approach we can distinguish active and passive adversàries. Passive adversary controls the 
set of corrupted participants only in a limited way - he can read all their inputs, outputs and internal 
information, but he cannot change behavior of corrupted participants. In this sense the protocol [10] is 
securc against passive adversary. Active adversary has all abilities as the passive one, and, in addition, 
he can change behavior of corrupted participants. Our protocol is safe against active adversary. 

There also exists an alternative approach to model cheating in protocols. This approach is more 
traditional and sometimes allows to explain more easily cheating objectives of groups of participants, 
but it is less formal. Cheating objectives are usually specified by description of potential cooperating 
sets (collusions) of malicious participants together with goals they are willing cooperate on. 

In our paper we will use both approaches, we use the single adversary approach mainly to explain 
generality of our adversary model while the collusion-based approach is used in concrete situations to 
explain cheating objectives of single participants of collusions. The switching between both approaches 
is easy and natural. 

Finally, we would likc to mention that in the setting of complex cryptographic protocols (e.g. 
anonymous channels) we are not interested in adversary able to tamper with bipartitc communication 
channels, namely we require that he is not able to modify bipartite communication. It makes no harm 
if he can read the communication, however, in quantum case authcntication of a particular channcl 
implics also its encryption [15]. 

2.2 Definition of anonymous message transfer 

The term anonymous transfer ineludes a wholc range of diffcrent subproblcms. In order to be consistent 
we adopted the terminology introduced in [14]. In this subsection we will briefly review part of this 
terminology necessary for our paper. 

Anonymity of an object is the state of being not idcntifiable within a set of subjeets known as 
the anonymity set. Anonymity set usually consists of parties able to perform a particular action we 
are interested in. In our case it means that the sender (receiver) is not idcntifiable within a particular 
set of potential senders (receivers). 

The concept of unconditionally secure anonymity was introduced by Chaum [2] as the problem of 
dining cryptographers and all solutions based on the technique introduced in this paper are denoted 
as DC-nets. There is a number of different anonymous channels, we will consider primarily three bàsic 
versions. 

Anonymous broadeast was the original setting introduced in [2] . There are n participants in this 
problem - n potential senders S = {-Pi}™ =1 and one real anonymous sender S G S. S has a message 
msg and wants to broadeast it in the way that 

• Everyone receives msg. 

• When adversary corrupts some set of participants C C S, then the anonymity set 4 of the sender 
is S \ C. 

• No one (except sender) can disrupt 5 the protocol without being detected. 

In message transfer with anonymous sender (MTAS) there are n participants - (n — 1) 
potential senders S = {Pi}™=i, one real anonymous sender S G S and one publicly known receiver 
R G P = S U {R}. S has a message msg and he wants to transmit it to R in the way that 

• R receives msg. 

3 When adversary corrupts some set of participants, it models the practical situation when all members of this set of 
participants are dishonest and are fully cooperating in order to compromise security of the protocol. 

4 This is quite strict, often the anonymity set might be smaller, however, this is precisely what is achievable classically 
and what our protocol achieves. 

°I.c. to bchave in the way that he prevents correct execution of the protocol. 
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• No one except S and R learns the messagc. 

• When adversary corrupts some set of participants C C P, then the anonymity set of the sender 
is S \ C. 

• No one (except S and R) can disrupt the protocol without being detected. 

Message transfer with anonymous receiver (MTAR) is close to the previous problem. There 
are n participants - (n— 1) potential receivers H, — {Pi}"Zi, one anonymous receiver Rgü. and one 
publicly known sender S'eP = RU{S'}. S has a message msg and he wants to transmit it to R in the 
way that 

• R receives msg. 

• No one except S and R learns the message. 

• When adversary corrupts some set of participants C C P, then the anonymity set of the receiver 
is R\ C. 

• No one (except S and R) can disrupt the protocol without being detected. 

All these primitives can be classically realized with unconditional sccurity against active adversary 
using solutions based on the dining cryptographer nets. 

In this paper we propose protocol for MTAS of quantum information and in conclusion wc show 
how to easily modify it to rcalize MTAR of quantum information. Before procecding to the design of 
the protocol we will briefly discuss cheating objectives of participants of the protocol in the case of 
MTAS. 

The sender S is the completely trusted participant in this problem - he has no cheating objectives. 
He knows all information, he has no reason to disrupt the protocol and also he has no reason to 
wrongfully aceuse some other participant of disruption - this will only decrease his anonymity set 6 . 

R is not interested in disruption of the protocol with one exception - he might be interested to 
disrupt the protocol provided that he can aceuse other participant of disruption and exclude him from 
the protocol. R also does not have to cheat in order to learn the message - he will learn it anyway. His 
main goal remains to learn the identity of the sender S. 

Other participants - potential senders - might be interested in a number of cheating objectives - 
thcy want to learn the identity of S 1 , they want to learn the message msg and they want to disrupt the 
protocol. 

3 Design of the Protocol and its Security 

Let us first discuss reasonability of the initial assumption of [10]. In the case we do not consider 
disrupters, this state can be easily created - it suffices that one randomly chosen participant creates 
and distributes it. He is trusted to do because by distributing different state he does not compromise 
anonymity of the sender and we suppose that participants are not interested in disruption of the 
protocol. Once we consider possible disruption, this assumption starts to be problemàtic. In case of 
anonymous channel for classical information it is not achievable, since existence of this state will imply 
unbiased multipartite coin tossing, what is not possible [16] in prcscncc of dishonest participants. 
In case of anonymous transfer of quantum information the situation seems to be similar, but the 
anonymous sender can act through classical anonymous channel to deliver trusted information to other 
participants. It might be interesting to investigate whether this changes the situation, although it does 
not seem to be probable. 

The first idea of our protocol, proposed also by [10], is that S can easily transfer any quantum state 
anonymously to R provided that S and R sharc an EPR pair, but R does not know who is controlling 
the other system. To transfer a state p S simply teleports it using the EPR pair to R and sends him the 

6 Important is that once the sender is (possibly) changed. all participants previously excluded (because of disruption) 
may join the protocol again. Otherwise sender may aceuse honest participant of disruption to reduce anonymity set of 
the next sender. 
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rcsult of thc mcasurcmcnt using anonymous broadcast, as described in Protocol 1. To implcment an 
anonymous transmission of quantum information it rcmains to design a protocol achieving anonymous 
sharing of an EPR pair. 



Protocol 1 MTAS of quantum information 

Participants: Potcntial senders S, publicly known receiver iï, unknown sender S G S 
Input: quantum system M 

Goal: S wants to send the state of M to R in the way that his identity remains secret. 
Requires: anonymous broadcast of classical information, EPR pair |<í >+ )5 fl shared between S and R 
such that the identity of S is unknown (even to R) . 

1: Sender S performs Bell measurement on the systems M and S and sends the outcome of the 

measurement to R using anonymous message broadcast. 
2: R uses this information to reconstruct the original state. 



In order to explain the design and security proof of our protocol in a transparent way we will 
introduce first highly simplificd Protocol 2 capturing the bàsic principle of the Protocol 3. Protocol 
2 in fact solves anonymous transfer of quantum information whcn we do not consider disrupters, 
but instead of assuming initially shared gencralizcd GHZ state it uses existing classical solution of 
anonymous channcl. 



Protocol 2 Anonymous noisy EPR gcneration without disruption detection 

Participants: Potential senders S = {Pi}^i , publicly known receiver R, unknown sender S £ S 
Goal: S wants to generate EPR pair(s) shared with R while staying anonymous. 
Requires: MTAR of classical information, bipartite authenticated quantum channel between each 
pair of participants 

1: Each Pi £ S creates n qubit quantum system in the state |$) = ^(|0}® n + keeps one 

subsystem and sends to each participant (including R) one of the remaining subsystems. 

2: Each potential sender Pi (except S) measures all systems he is possessing in the basis {|+), | — )} 
and records the outcomcs Oi j , j = 1 . . . n (each participant rcccivcd n quantum systems) . He sends 
these results to S using MTAR. 

3: S sends himself a dummy message (e.g. a random bit) using MTAR. 

4: S = Pji repairs the state of each system he shares with R to the EPR pair |<í> + ). To repair the 
i-th system he applies a z to his system if ® n ^Z\°j,i = 1 ( we formally set oy = 0). 



The bàsic method of the generation of an EPR pair in Protocol 2 is based on a simple observation. 
If we take an n-qubit generalized GHZ state |$) = ^j(|0)® n + ll) 8 " 1 ) and measure arbitrary (n — 2) 

qubits indepcndcntly in the dual basis = "Tfd^) + | — ) = ^7j(|0) — I-*-))}) thcn the state of 

two remaining qubits col·lapses, depending on results of the performed measurements, either to |$ + ) = 
-^j(|00) + 1 1 1 ) ) (if the number of outcomes |— ) was even) or to |$~) = -i=(|00) — |11)) (if the number of 
outcomes |— ) was odd). Sender receives outcomes of all measurements and hence he can easily repair 
the state of the system SR to \4> + ) by applying a z to his system when necessary (he counts the number 
of outcomes |— )). 

Let us suppose that measurement outcomes are publicly broadeasted instead of being sent via 
MTAR. In this case also the sender is forced to broadcast publicly outcome of his measurement. Since 
the distributor of the state |<E>) is in principle interested in compromising anonymity of the sender, he 
may create and distribute system of n qubits, where each of the qubits will be randomly in a state |+) 
or |— ). Since sender does not perform measurement, he has chance 1/2 to be caught not measuring 
the system and his identity will be revealed. It is not sufficient to send the measurement outcomes 
securely to receiver, because he can cheat as well. The key obstacle is that it is insecure to suppose 
that the original system is in the state |$) if it is created by someone else than the sender. Therefore 
we use MTAR to send outcomes to S. 
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The fact that quantum system in state |$) is created and distributed by each of the participants 
will be used in Protocol 3 to lay traps to detect disrupters while preserving anonymity of the sender. 



Theorem 3.1. Protocol 2 preserves anonymity of the sender and when participants do not disrupt it, 
it creates n — 1 EPR pairs shared between públic receiver and anonymous sender. 

Proof. Behavior of the sender differs only in local actions he performs on his quantum systems, what 
cannot be detected, and in the classical bit he sends in Step 4:, that is uncorrelated to the quantum 
system he received. However, he is the only receiver of this information and hence his behavior is 
indistinguishablc from all othcr participants. 

It is obvious that when other participants do not disrupt the protocol, it creates n — 1 EPR pairs 
shared between públic receiver and anonymous sender. □ 

The disadvantage of Protocol 2 is that it is vulnerable even to a small amount of noise, which can 
be introduced by a malicious participant. To prevent this we have to allow honest participant to detect 
possible malicious behavior of other players on the state he distributed. This means we should provide 
him a way how to verify that they indeed performed measurement in dual basis and submitted correct 
outeome to the sender. In order to do this each player in each round of Protocol 3 randomly decides 
whcther he will operate in an actual or in a trap mode. In the trap mode he sends his trap states to 
the sender who later verifies whether there was any disagreement with reported outeomes of particular 
measurements. Note that this disagreement can be caused by both disruption and malicious behavior 
of the trap layer, but this does not compromise security of the protocol. 

Important is that if an honest trap state was distributed, malicious participants must cither measure 
it in the dual basis and submit correct outeome or there is a probability that they will be detected, 
which is proportional to the amount of noise (strength of disruption) they introduce. This is formulated 
in Lemma 3.2, which is proven in Appendix A. 

Lemma 3.2. Let us suppose that quantum systems P\,...,P n (controlled by a set of participants P ) 
are cither in the generalized GHZ state l/y/2(\0 n ) + or in one of the states {|+), \—)}® n . Let 

us further suppose that there is some collusion C C P of corrupted participants controlling (WLOG) 
quantum systems P\, . . . , P m , m < n. Let us suppose that they perform some quantum operation that 
distinguishes with good probability states {|+), |— )}® m from each other. Provided this operation gave 
outeome \4>) £ {|+), |— )}® m > the state of unmeasured systems P m +i, . . . , P n is close to 



When disagreement is detected, protocol is restarted and potential sender will simply ignore the 
participant who was detected to disrupt his state and therefore this participant has no chance to 
introduce errors. The list of participants each potential sender Pi distributes the generalized GHZ 
state to is the set P^. This is analogical to removing edge from the key sharing graph in [2]. 

Theorem 3.3. Protocol 3 preserves anonymity of sender and it with high probability generales at least 
one ( concrete number of EPR pairs de.pe.nds on entanglement distillation settings ) EPR pair shared 
between anonymous sender and públic receiver for each honest potential sender. 

The last step of Protocol 3 allows three possible solutions with different security implications. 
In Step 14 sender learns which of sets was distillable [17] and which was not. Important is that 
receiver does not learn this and that is why entanglement distillation with one-way communication 
must be used. The number of EPR pairs dishonest participants must disrupt grows with the number 
of generated EPR pairs. On the other hand, the probability of detection of at least one disrupter 
grows cxponcntially with the number of EPR pairs malicious participants disrupts and therefore we 
can always guarantee reasonable amount of noise (that allows distillation) in the set of states which 
was generated by an honest participant. 

We can modify the protocol in the way that it is not necessary to restart it when disrupter is 
detected. The only differcnce is that disrupters are able to introduce more noise- than in the original 
protocol, each eavesdropper must be considered independently and therefore possible undetected noise 
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Protocol 3 Anonymous EPR gcneration 

Participants: Potential senders S = {Pí}í, publicly known receiver R, unknown sender S € S 
Input: m - thc number of rounds that should be cxecuted, p - probability that potential sender decides 

to switch to the trap mode 
Goal: S wants to generate a number of EPR pairs shared with R in the way that his identity remains 

anonymous. 

Requires: MTAR of classical information, anonymous broadcast, bipartitc authenticatcd quantum 
channcl between each pair of participants, públic cntanglcmcnt distillation protocol 

l: Set all sets P, = P. 

2: repeat > Rcpcat m times 

3: Each potential sender Pi (including S) decides whether he will operate in trap (probability p) 

or actual (probability 1 — p) mode and reports this to S using MTAR. 
4: Each Pi operating in actual mode creates an |Pj| qubit quantum system in the state |<I>) = 

_^^|Q^®l p íl _|_ |i^l Pi l) ; keeps one subsystem and sends to each participant in Pj (including R) one 

of the remaining subsystcms. 
5: Each Pi operating in trap mode sends to each participant in P; quantum system randomly in 

state |+) or | — ) and remembers states he sent. 
6: Each potential sender Pi (except S) measures all systems he is possessing in the basis {|+), |— )} 

and records outeomes Ojj , j = 1 . . . n — 1 (each participant received n—1 quantum systems). First 

index refers to participant performing the measurement, second index identifies creator (distributor) 

of the system. He sends these results to S using MTAR. 
7: Sender measures all systems which were reported in Step 3 : to be trap states. 
8: Each potential sender operating in the trap mode sends to S using MTAR the list of trap states 

he distributed. 

9: S compares each received list with outeomes of measurements he obtained from participants 
and publicly (using anonymous broadcast) announces any disagreement including disagreement in 
his measurement. 

10: If there was any disagreement, corresponding sets Pi are modificd and protocol is restarted: 
If there was a trap system distributed by participant Pi and incompatible measurement outeome 
received from participant Pj, then Pj will be removed from P^'s cooperation set, i.e. P,; <— P.;\{P,}. 

11: S = Pj' repairs the state of each system he shares with R and which was not reported to be 
the trap state to the EPR pair |<E> + ) (in case the system was not disrupted, otherwise the state is 
random), i.e. to repair the i-th system he applies a z to his system if ®™Zi°j,i = 1 ( we formally 
set Oj> t i = 0). 

12: Both S and R remember who created each particular EPR pair (more precisely - the original 
state |$)). Later, in Step 14:, they perform indcpcndcntly a test for purity of EPR pairs created 
by each participant. 

13: until executed m times 

14: S and R perform cntanglcmcnt distillation with one-way communication indcpcndcntly on each 
set of all (possibly noisy) EPR pairs created by particular participant. They suecced with high 
probability to distill EPR states created by each honest participant. Classical communication from 
R to S is realized using MTAR. 

15: Create anonymously shared EPR pair(s), see discussion following after Theorem 3.3. 
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in each particular cnscmblc will bc multiplied by the number of disruptcrs. This implics that the 
number m of rounds must be increased appropriately. On the other hand, the fact that we do not have 
to restart the protocol increases efficiency greatly, since disrupters might behave in the way that they 
disrupt at the end of the protocol to increase time and communication complcxity. 

The key problem is the Step 15 : since sender and receiver must establish a number of pure EPR 
pairs, but receiver should not be able to learn which set of original states was not distillable. In case 
receiver can do so, he can in coopcration with other dishonest participants compromise anonymity of 
the sender. It is sufficicnt that each dishonest participant introduces in the states he generates noisc 
affccting only one honest participant, e.g. he is sending him random particle and otherwise he behaves 
correctly. In case such an ensemble of states is found not distillable in Step 14, it means that the only 
disrupted participant was the sender and his identity is revealed. 

In order to prevent this receiver must not learn which ensemble was noisy and which was not. 
Possible solution to this is to take all states obtained in Step 14 regardless whether they emerged from 
successful or insuccessful distillation and distill them together using some distillation procedure with 
one- way communication. The number of errors is the number of system generated by disrupters. In case 
we consider that we extracted one EPR pair for each participant, the number of disrupting participants 
protocol can tolerate is bounded by the quantum Gilbert-Varshamov bound which establishes the bound 
for errors distillable with one- way communication [18]. A subject of future research will be to design 
specific entanglcmcnt distillation procedure that uses the sender's knowledge which states arc pure and 
which arc noisy. This may allow to exceed the Gilbert-Varshamov bound. 

Other possibility is to simply inform receiver in which cases the distillation succeeded. In this case 
protocol works even in case there are only two nondisrupting potential senders, but it is secure only 
provided that receiver does not cooperate in a malicious way with potential senders. 

4 Conclusion 

Protocol 3 is quite difficult to implcment cxpcrimcntally, howcvcr, for anonymous transfer without 
disruption detection it is suíficient to use simplified version of Protocol 2, especially it is sufhcient 
that only one randomly chosen participant distributes the generalized GHZ state. Five participant 
version of this protocol is (up to classical communication) exactly the experiment [19], although the 
motivation of this experiment was different. Therefore the experiment [19] can be considered to be the 
first experimental realization of simplified version of our anonymous transfer protocol. 

It is possible to adapt Protocol 3 to tolerate certain amount of noise. All what has to be done is 
that small fraction of incorrect answers won't be considered to bc disruption and parameters p and m 
(optionally also distillation parameters) will bc adjusted to increase probability of disrupter detection 
and preserve the level of noise. 

Due to no-cloning thcorem and properties of authentication of quantum information [15] it is impos- 
sible to simply modify the digital pseudosignaturcs proposcd in [9] to work with quantum information. 
There are two main reasons - from the no-cloning theorem we obtain that we must have a number of 
identical copies of quantum state if we want to apply digital pseudosignatures. Even more fundamcntal 
problem is the result of [15] that any authentication also encrypts quantum information and therefore 
other participants have no chance to verify whether two different signatures correspond to the same 
message. 

As a conclusion we remark that it is possible to modify this protocol to realize MTAR of quantum 
information. It sufficcs to invert the direction in which the message is being teleported at the end of 
the protocol. Our approach can be also modificd to assurc simultaneous anonymity of the sender and 
the receiver, but this beyond scope of this paper. 
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A Proof of Lemma 3.2 



In ordcr to distinguish products of dual basis states corruptcd participants havc to pcrform some kind 
of measurement on Px, . . . , P mi which can be reprcsentcd as a von Neumann measurcment on some 
larger system (i.e. togcther with some ancillas) Px, . . . , P m , Ai, . . . , Ak, where ancillary systems are 
in some fixcd purc statc |ai). It is easy to see that this measurement is the most general opcration 
thcy can perform, since any unitary opcration bcforc measurement can be seen as a change of the 
measurement projcction operators. 

Let us suppose that they perform measurement using projectors {Mí}í = and let {|&j)}| =1 be all 
eigenvectors of measurement projectors. We will express members of this basis as a supcrposition of 
vectors from product basis {|+), |— )}® m cg) {|oi)}f = i, where {|ai)}| =1 is a basis on the ancillary system 
A±, ... , Ak- Let us express 



where {|"0í)}?=i is some enumeration of the basis states {|+), \—)}® m . The fact that the measurement 
distinguishes products of dual basis states with good probability means that when there is a non- 
ncgligiblc probability of obtaining projector M € {Mí}í as an outeome, then this outeome must givc 
answer about original state of the system Pi, . . . , P m . It means M restricted on systems Px,..., P m is 
closc to projector on some state \ipi) £ {|+), |— )}® m . Otherwise M has eigenvector \bj) such that it 
has nonncgligiblc cocfficient X)i a y>.? m ^q. ^ corresponding to diffcrcnt basis states \ipi>) ^ \ipi) and 
therefore M might have been obtained even if the systems Pi, . . . , P m were in the state \tpi')- 

This proves our statement since such a projector causes collapse of quantum systems P m +i, ■ ■ ■ , P n 
close to collapse caused by independent measurements in the dual basis with outeome 



In order to prové sender's anonymity we will analyze all steps where his behavior differs from behavior 
of other potential senders. In Step 6 : the sender does not measure state he received, but this is only 
local opcration which cannot be detected. He measures all systems that were reported to be in one of 
the trap states. In Step 9 : he reports all disagreements in states that were in advance reported to be 
trap states. He also announces optional disagreement in his measurement (although this implies that 
the distributor of the trap states was lying) , but he measured trap states as all other honest potential 
senders and therefore his anonymity is not thrcatencd. 

In Step 11 : the sender performs only local operations on his quantum systems what cannot be 
detected. In Step 14 : the sender cooperates with the receiver on distillation of the shared EPR 
pairs. The sender is receiving classical communication through MTAR and performing local quantum 
operations and therefore his anonymity is not compromised. Analysis and discussion of Step 15: is in 
paragraphs following after Theorem 3.3. 

To prové that each ensemble of EPR states originating from generalized GHZ state distributed by 
an honest participant is distillable we have to prové that the amount of noise disrupters can introduce 
into such an ensemble is below distillable threshold. In fact, we will show that at the cost of efhciency 
we can guarantee with arbitrarily high probability arbitrarily small amount 7 of noise in all ensembles 
generated by honest participants. 

Let p be the probability that honest participant decides to operate in a trap mode, (n — 1) the 
number of rounds of Protocol 3, the fraction of error repairable by the chosen entanglcmcnt distillation 
procedurc (distillation succeeds if the number of errors in a group of r systems will be lower that Or) 
and £ the probability that disrupter of the quantum system 8 guesses the trap state incorrectly. 

Let us suppose that there is a collusion of disrupters disrupting generalized GHZ states distributed 
by a particular honest potential sender. In order to prevent distillation of this ensemble they have 
to disrupt Om (1 — p) systems (since on average only (1 — p)m rounds are in actual mode). When 

7 By amount of noise we mean the ratio between disrupted and pure EPR pairs in the ensemble. 

8 We consider here maximal disruption, i.e. opcration introducing maximal error in distillation procedure. Smallcr 
error will allow better information about the trap state, but also causes smaller disruption, see Lemma 3.2 




(2) 



y 



B Proof of Theorem 3.3 
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disrupting a particular system there is a probability p£ that disrupter will be detcctcd. Probability 
that 9m(í — p) disruptions remain undetected is 

Prob(disr) = (1 - p£_) 9m ^ p \ 

i.e. the it decreases exponcntially with m. Thcrcfore we can choose arbitrary Prob(disr) and 9 and 
thcn choose sufSciently large 

log 1 _ £ Prob(disr) 

m > —, r . 

9(1 -p) 
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